Patches

Pull Requests

History

Duplicate of bug #74436. TL;DR is that this is an intentional change due to a security fix. We haven't found a way to address both the security issues this fixes and preserve the existing behavior.

[2017-06-01 12:41 UTC] taco at procurios dot nl

Reading the comments of #70213 it seems that the security issue was fixed in another bug fix. Is #70213 really a security fix or should it be reviewed more closely? In practice the current change in behavior makes it impossible to use the __wakeup method, since (in large projects and/or frameworks) there is no way to tell whether or not an object will be unserialized within a unserialize method.

Sorry for being unclear, I was not referring to the bug report you linked. The directly relevant issues are bug #69425, bug #73092 and bug #72731, though this essentially fixes the entire class of wakeup-based unserialize attacks, for which we have dozens of security bug reports.